A Look Back on the Future of Tomorrow
Like many of my industry peers, my first job was in the telecom industry developing software. Back in the day, we used telnet to remotely login to the work station of our choice and then go on about our day writing code and sipping coffee. Software security was not part of our vocabulary or our corporate culture.
I felt the winds of change over a decade ago when I attended DefCon for the first time. As a player intrigued by cyber security, I was hungry to learn more. One of the talks that year was introducing CSRF, which up until that point, I had thought was similar to ‘cross site scripting’. After the presentation, I learned that my assumptions were not entirely correct and I was on a mission make right the mistake I had made in the past on all of my web apps requiring authentication (none of which were public facing, thank Goodness).
Through the process of exploration, I wrote an “exploit” to leverage a CSRF flaw in one of my projects. The ‘exploit’ was a success and gave me a testimonial to share with my colleagues who also thought they know what CSRF was but like me before, didn’t fully understand the details and the impact.
My journey took me into the word of flawed websites with issues such as SQL-Injection and XSS. The test platforms became our school as well as our playground. Together with skilled Pen Test analysts working for Digital Defense, Inc. (DDI), we agreed to perform a network vulnerability assessment on the host to see what “juicy” intelligence we could gather. I had not spent time hardening the box because I used this as an experiment only and an opportunity to learn more on application security. The resulting scan reveals OS vulnerabilities, configuration issues on default passwords for the web server and much more. One voice of reason at the time said, “You don’t need to take advantage of vulnerabilities in your fancy web-app. Why not juts town the box with a default password or an off the shelf exploit for one of the Windows vulns?” The other voice challenged the norm and blazed a new trail of thought.
That trail has taught us that in order to fully cover risk related vulnerabilities to a specific information assist, it is not enough to assess the immediate application that manages the information. We need to go beyond the everyday and examine more.
That mentality and drive to go the extra distance, protecting the future of security through innovative methods today is the fundamental concept of the DDI-Veracode partnership and the ground-breaking integration. With this integration, we are bringing together two very important risk technologies; network based vulnerability assessments, which I view as looking at risk from the outside to inner containers that hold the applications, and application assessments, both static and dynamic, which I view as examining risk from the inside looking out. From this perspective, application assessments are examining risk at the atomic level down to the individual lines of code; Whereas network vulnerability assessments are looking at risk at a more macroscopic level. Each of these technologies has its’ own strengths and although there are overlaps, each one covers risk that the other does not. Both of these are imperative. Combining the two and allowing an organization to view the overall combined risk and to manage the combined findings brings forth a ground breaking offering.
To get a quick sense on risk coverage of the combined offering our team implemented some testing vehicles
- Installation of an OWASP application called WebGoat onto a Windows XP machine. WebGoat is a vulnerable web application designed to teach web application security. In this experiment, it might represent a web application such as a retail online shopping site. Note that WebGoat requires Apache Tomcat as its web server. I enabled the Tomcat administrator’s web interface login.
- Added a mechanism to the machine to allow remote maintenance. The chosen mechanism was telnet so as to enjoy this experiment even more as it triggered a feeling of reminiscence back to my telecom days.
- Installed a static as well as a dynamic Veracode scan performed as well as a DDI unauthenticated network vulnerability scan with full password guessing option selected. The findings were nothing less than cool! Veracode scans found many SQL-Injection flaws, Cross-Site Scripting flaws and OS Command Injection flaws for both static and dynamic scans.
These issues identified are top attack vectors used by hackers.
Static scans found even more interesting issues such as issues with the crypto being used within the application, credential management issues and more! The DDI scans found OS vulnerabilities such as MS12-020, MS08-067 and more, a telnet easily guessable account (username/password) as well as the Tomcat administrator login credentials. The DDI scan even found a Win32/Rorpian worm. What do you know! The machine had been compromised! Wow!
There is power in this integration for those that are looking for a full-service platform to identify and address security risk and work to effectively create a culture of security.
Mr. Gordon MacKay will be speaking at RSA on this integration along with Chris Wysopal, Veracode CTO. Together they will be covering in more detail this ground-breaking intregration.